Musings on Information Security

More money for information security in this recession economy... Oh yeah!

RaviC — Thu, 28 May 2009 06:50:49 -0700

Information security investments are hard to justify in good times and harder to justify in bad times. If you invest wisely in information security and prevent bad stuff from happening there won't be sensational security incidents and thus no visibility - kind of catch-22 is it not?

There is another way to get security budget than asking for security budget right off the bat. For that we need to understand that a customer who is educated about information security is always a happy customer. Senior management is a customer of information security service that you offer. You have to work up to get their attention.

- Publish information security articles company's newsletters.

- Publish news item about information security on company's Intranet.

- Set up information security booth at company's events, keep raffle prizes else no one will visit your booth I promise!

- Launch companywide information security awareness training and also give security awareness presentation to executives.

- Distribute security awareness flyers.

- Give awards to a developer following good security practice.

- Make security fun, announce a crypto challenge, and kepp attractive prizes (iPod, IronKey) for the winners.

All the above can create a background for information security, this leads to conversations which creates perception of information security. By the time you go to the upper management to ask for budget half the battle is won. The other half is to communicate to senior management in a language of risk (which they understand). Don't ask for budget right away, dialogue with senior management in order to understand an acceptable business risk profile, then propse a security solution which can provide that risk profile. Lastly, ask for money to provide the security solution. Since they accepted the risk profile, I bet you are likely to get the money!

Pragmatic Web Application Security

RaviC — Fri, 20 Mar 2009 07:15:03 -0700

I have condensed my earlier series of articles on Pragmatic Web Application Security into a single document.

http://ravichar.blogharbor.com/Pragmatic%20Web%20Application%20Security.pdf

Feedback?, you can reach me at: RaviChar AT GMAIL DOT COM

Pragmatic Web Application Security - Part 9 - Summary & Conclusion

RaviC — Fri, 20 Mar 2009 07:06:12 -0700

Web services technology is rapidly evolving creating endless opportunities for user participation. These developments are providing multitude of possibilities for hackers to compromise web applications. This raises several security concerns in the realm of Web Application Security. The approach outlined in this paper attempts to address these security concerns. Pragmatically speaking, the company brand name can be protected at a reasonable cost in few simple steps to ensure Web Application Security. This can minimize the chances of CIO’s phone ringing in the midnight for “web security stuff”.

Pragmatic Web Application Security - Part 8 - Technical Controls

RaviC — Thu, 19 Mar 2009 07:07:57 -0700

It is not within the scope of this paper to address the gory details of Technical Controls. Technical controls can ensure the security of web applications. Some of the recommended technical controls for Web Application Security are:

Firewall, IDS/IPS
Hardened OS
Hardened Web Server
DMZ Architecture
Design of High Availability (at the least 99.99% uptime)
Access Control for Applications
Encryption for Sensitive Data
Web Application Firewall
Source Code Scanning
SAS 70 Certified Datacenter Infrastructure

It is desirable for an ASP to have these controls in place. Preferably, controls such as IDS/IPS should be in place, but they are not mandatory. Same is the case with Web Application Firewall.

Pragmatic Web Application Security - Part 7 - Education/Awareness

RaviC — Tue, 17 Mar 2009 07:04:07 -0700

The importance of Security Awareness and Education cannot be downplayed.

Human element is the weakest element in security. In Step 2, we created policies. It is important that relevant team members are well aware of the security policies. The relevant team members should have the knowledge of company’s Information Classification policy, without this “Sensitive Data” is at risk of being handled incorrectly. A fortune 500 company had Content Publishers who were managing the content without the knowledge of Information Classification Policy. Content Publishers uploaded some sensitive content in the publishing area. The publish software program copied the sensitive content to the production website. This exposed company’s sensitive information on the public Internet till this was noticed by an external party, who ended up alerting the company CIO.

To ensure proper data handling Awareness and Education is very important.

Content publishers should have the knowledge of Information Classification Policy
Project Managers should have knowledge of Policy for auditing ASPs
Website Administrators and Infrastructure Administrators should have the knowledge of Policy of Hosting Websites and follow the guidelines outlined in the policy.

In dealing with ASPs, it can be verified that they have a well defined policies in these areas during ASP Audit itself. Moreover, Project Managers should communicate to the ASP the sensitivity of the data on the website and its handling requirements. These items can be addressed in the Services Agreement if warranted.

Pragmatic Web Application Security - Part 6 - Vulnerability Assessment and Remediation

RaviC — Mon, 16 Mar 2009 07:07:51 -0700

This involves two components. The Host Vulnerability Scanning and the Application Vulnerability Scanning. Multitude of tools exists in the market that can do Host Vulnerability Scanning - nCircle is one of them.

For Application Vulnerability Scanning there are many players out there such as Watchfire. Many of these players find the usual vulnerabilities in the application. Outsourced application security vendors such as WhiteHat not only find typical application vulnerabilities but also find application business logic errors.

Vulnerability assessment will yield a list of vulnerabilities. Ranking these vulnerabilities is a good starting point. The vulnerabilities should be ranked based on Severity Level and Threat Level. Threat is the likelihood of the vulnerability being exploited and severity is how bad it can affect if vulnerability is realized.

The Web Developers need to be competent to remediate these vulnerabilities. This can happen through only through proper training. Secure Software Development methodology helps build secure web application ground up.

Apart from fixing these vulnerabilities, Web Developers have other priorities. Their schedule needs to be respected and deal with them tactfully to remediate vulnerabilities. Some of these vulnerabilities are inter-dependent. Remediation of a single vulnerability, could remediate several other vulnerabilities.

Vulnerabilities can be integrated into an already existing bug tracking system under category security. Web Developers can remediate these bugs along with other bugs. This approach relieves the workload of tracking security vulnerabilities separately.

For ASP hosted website, there is limited visibility into their web development process. Before you perform a vulnerability assessment on ASP website, ensure that you have consent from them in the form of a legal agreement. Performing a vulnerability assessment (or a scan) without their consent could lead to legal ramifications. The author had made a mistake of performing application vulnerability scan on an ASP, speculating that it would not be too much of load on their site. Unfortunately, the scanner behaved weirdly, causing a flood of traffic to the ASP website. The ASP was not happy, luckily for the author, ASP let the problem resolve in a peaceful way else this could have lead to legal ramifications.

Performing a Security Audit on ASP can help address some concerns. During the Security Audit, we can request ASP to provide Application Vulnerability Scan Report and/or Host Vulnerability Scan report if they already have one. In some situations, this can relieve us from the coordinating with the ASP to perform a vulnerability scan report ourselves.

Pragmatic Web Application Security - Part 5 - Create Policies

RaviC — Fri, 13 Mar 2009 07:05:35 -0700

Creating a policy is relatively easy compared to enforcing a policy. There needs to be a standard policies for:

Policy for Hosting Websites
Policy for Auditing ASPs

Policy for Hosting Websites: The objective is to set security requirements for the company’s external websites that are accessible over the public Internet. This policy should apply to all websites whether it is hosted by the company or it is hosted by an ASP. As an example: Some of the standards in the policy can be:

All content will be thoroughly reviewed to identify sensitivity of data before being published
Personnel responsible for publishing the content shall be adequately trained in the company’s Information Classification Policy, so that they are aware of data handling requirements
Technical standards for infrastructure and web servers
Secure development of web application

Policy for Auditing ASPs: The objective is to set requirements for ASPs to handle company’s data. Some of the requirements can be:

Well articulated Information Security Policy
Infrastructure requirements
Data handling requirements
Application security requirements
Availability requirements
Personnel requirements

The policy needs to be well articulated and communicated to the relevant team members. This will set a reference point for expectation in terms of Web Application Security.

Pragmatic Web Application Security - Part 4 - Plan for Web Application Security

RaviC — Wed, 11 Mar 2009 07:05:38 -0700

Websites run web applications. It is important to understand what is at stake in this exercise. The first step is to gather a list of company’s Internet facing websites. These sites can be of two types:

Company Hosted
ASP (Application Service Provider) Hosted

The next step is to identify types of data these websites have. Now we have 4 different classification levels:

Company Hosted with Sensitive Data
Company Hosted with Public Data
ASP Hosted with Sensitive Data
ASP Hosted with Public Data

The Table below gives a summary of websites and controls that should be in place to ensure Web Application Security:

Hosting Model	Company Hosted	ASP Hosted
Data Type	Company Hosted	ASP Hosted
Sensitive	Objective: Ensure Confidentiality, Integrity and Availability Service Level Agreement with Internal Web Dept Application Vulnerability Assessment Access Control	Objective: Ensure Confidentiality, Integrity and Availability ASP Audit Master Service Agreement and Service Level Agreement with ASP Application Vulnerability Assessment with ASP’s involvement (if needed) Access Control
Public	Objective: Ensure Integrity and Availability Service Level Agreement with Web Dept Application Vulnerability Assessment	Objective: Ensure Integrity and Availability ASP Audit Master Service Agreement and Service Level Agreement with ASP Application Vulnerability Assessment with ASP’s involvement (if needed)

Identify sites that are in scope based on criticality of website for the business. A simple way to do this is by asking: What will happen if this website goes down for a day? The available budget to implement the plan sets the upper limit for in scope websites.

Identify relevant team membersfor Company Hosted websites: Sponsors, Project Managers, Content Publishers, Web Administrators and Infrastructure/System Administrators.

Identify relevant team members for ASP Hosted websites: Sponsors, Company Project Managers, ASP Contact Information such ASP Project Managers, ASP Security Architect and ASP Infrastructure/System Administrators.

This inventory will empower with knowledge to carry out the next steps pragmatically.

Pragmatic Web Application Security - Part 3 - Web Application Security?

RaviC — Tue, 10 Mar 2009 07:10:00 -0700

Applications are catalyst to our day to day business function. Application that is accessible via the Browser is also known as Web Application. With the advent of Web 2.0 which provides user centric (also collaborative) web based services, users are gaining more control on web applications. This enhanced control provides more possibilities for hackers to exploit Web Application. One recent example of sophisticated Web 2.0 attack vector is the feed injection.

Web Application Security is ensuring of confidentiality, integrity and availability of Web Applications. Web Application Security Consortium has excellent resources in this domain. The attack class can vary from a simple “Directory Indexing” to a complicated “Cross-site scripting”.

Any Web Application Security Plan has to be practical. A company can have hundreds of websites (Internal or External) hence it is not possible to bring all the sites under this plan hence it is a good idea to define the scope. In this document, focus is on the websites facing the Internet. Many companies have “Turtle” model of security. Turtle model of security is hard shell exterior and soft chewy interior. The essence of the model is a company does not trust folks coming from outside, hence perimeter is protected with Firewall/IDS/IPS. Internal workforce is trusted not to cause information security breach – this sounds idealistic but that is the reality in many companies. Once you are inside you pretty much can lay hands on anything. Web applications inside the shell are considered off limits from hackers. Web applications outside the shell or in DMZ are considered vulnerable.

The focus of the article is Web Application Security of Internet facing websites. Same methodology can be applied to the Internal websites with some tweaking. In my next blog post I narrate a pragmatic four steps plan to ensure Web Application Security.

Pragmatic Web Application Security Part 2 - Act to Protect Brand

RaviC — Mon, 09 Mar 2009 07:04:12 -0700

Doing nothing is not an acceptable solution. If the Wayne, Information Security Manager does not come up with a Web Application Security plan, similar Hot seat incidents are likely to recur and can tarnish the brand image. Moreover, it can cause significant Business Risk and Business Impact.

Brand damage can hurt company’s market capitalization. It is well known that any bad news can hurt company’s market capitalization from 3-10%. A billion dollar company can take a hit of several million dollars in market capitalization as a result of bad publicity from a security breach.

Perception is everything. Customers perceive company’s online identity through their strong presence on the web. Customer stumbling upon poor web application design such as an error page spewing the gory details of the website’s back end database will spoil customer experience and affect company’s identity.

Moreover, customers constantly make assessment of company’s identity before doing business with a company. Customer will not do business with a company whose information security practices are viewed as unreliable. Customers may scale down or even stop, transacting with companies whose security practices are viewed poorly.

Web applications accessible over the Internet are highly visible to customers and to public. On a similar note it is accessible to hackers who are out there to exploit any opportunity that shall be presented due to negligence or lack of planning in deploying these websites.

There could be a revenue impact due to security breach of eCommerce website. Customers may not want to do business with a company over the web. Moreover, these sites could hold sensitive customer data. Breaching customer data can put a company in a world of legal ramifications.

Hackers are becoming more professional. Their attacks are not motivated by ego as was the case in the past, but more by economic gains. Their attacks are refined and are more focused on access to sensitive data behind the applications. They use the sensitive data for economic gains.

Doing nothing is not an option here. Company has to act wisely to secure its website to protect its brand.

Pragmatic Web Application Security - Part 1 - Hot Seat

RaviC — Fri, 06 Mar 2009 07:06:00 -0800

World Wide Web has evolved from a document sharing tool to highly interactive platform where software applications can be offered as a service – SaaS (Software as a Service). The users have a more control on the web than in the Web 1.0 due to collaborative nature of Web 2.0 platform of Web 2.0. This has opened possibilities for hackers to exploit web applications. This series of articles provides a practical approach in finding a solution to Web Application Security concerns.

This audience is intended for Information Security Managers who are responsible for implementing web application security. Hope you enjoy the narratives that follow!

It was around 1:00am. The phone is ringing. Steve, the CIO had a stressful previous day working on a plan for next year’s roadmap. Steve hardly had about an hour of sleep; the sound of the phone ring is bothering him. In a semi wake state he gets out of bed to answer the phone wishing it was a misdialed call. It is the Roger, CEO at the other end. Roger was notified by an Analyst that the public ftp website of the company contains offensive and objectionable content. Roger tells Steve to do whatever it takes to bring the situation back to normal. Steve is worried about the company brand name.

Steve hangs up the phone. He dials Wayne, the Information Security Manager. In an apparent upset tone, he instructs Wayne to get the situation back to normal and provide with regular updates. Wayne calls Tim, the Information Security Lead and asks him to act on this.
Tim springs into action, sets up a conference call with the ftp website's project Manager and other relevant team members. The conference call was boisterous with lots of finger pointing. Finally, they all agree on an action plan. As a part of remediation the website Project Manager instructs web publishers to remove the offensive content from the web server. The Project Manager requests the web operations team to secure the ftp webserver to ensure the security holes are plugged in. Around 5:00am, remediation is complete. The knee jerk reaction is over and there is an ensuing calm after the storm. CIO’s phone rings around 7:00am, he picks up the phone, he is feeling better after some decent sleep, and he sounds somewhat pleasant over the phone. Wayne informs that the incident has been remediated and the offensive content has been removed. The CIO says: Great! But, What is your long term plan for the security of web stuff?

Hmmm.. Security of web stuff, Wayne goes into thinking mode. How do I go about this? I do know the solution has to be practical and realistic for my budget. There are several hundreds of internal websites and about several dozens external websites. Where do I start? Let me present this challenge to Tim to come up with an action plan.

Information security in bad economy

RaviC — Sun, 26 Oct 2008 19:37:40 -0700

Economy looks grim. The headlines are very discouraging. Capitalism does not guarantee wealth and success all the time. The talking heads on TV blame the greed in the stock market. I wish stock market is made of just computers that are not greedy human beings. These are bound to happen when there are human beings that participate! Money flows will eventually correct itself I hope, capitalism will be healthy again. This will take time. I am not an economist, but I do understand that people part with money for a period of time to collect higher return in the horizon based on their aptitude for risk. Simple is it not! But, all these complex financial instruments and its machinations seem to blur the reality and make even the brainiest act dumb - or are they just plain greedy?

Setting the context for this post, it is a tough economic situation all over the world. IT spending has reduced and will reduce significantly. In one of earlier posts, I had referred to information security as an overhead of an overhead (IT). What is a good approach for security practice in this type of economy?

I don't have a magic wand to pull a rabbit out of a hat. I have always been told that: tough economy is the time for real smart people to make money. Coming back to information security topic, with a bit of common sense, it is wise for information security professionals to offer services in those areas that does not involve capital expenditure. As a Security Manager, you may be already aware that your people are willing to go an extra mile in the current economic times.

- No budget or lack of budget, means no new capital expenditure. Spend time wisely in building a future technology strategy and keep it in the back pocket when the economy turns around.

- This is a good time to create roles/responsibilities and ownership for various areas. Create operating procedures. Make your team to automate tasks. This will help your operations become more efficient.

- This is time for security awareness education. Create pamphlets/brochures/presentations for an online or classroom training. Engage your and your team's time to impart training.

- Leverage already invested technology platforms. Leverage utilized features that reduce costs. If you have already invested in technology such as VMware, this is the time to get the best out of it. You can use VMware's toolkit to build your lab and staging environment and optimize on hardware cost.

- Off shoring has been the mantra of senior executives, this is the time to revisit those services and measure their performance closely and assess your satisfaction level. This is a good time to build a case for not off shoring if it makes sense.

- Companies are more vulnerable in bad economic times. You are in a better position to influence senior management about information security risks under these circumstances and drive home the value of protecting your intellectual property under these kinds of circumstances. management will be all ears for such a pitch.

- Time to engage your architect to optimize your security architecture, revisit standards and optimize design for cost efficiency.

- Revisit various controls and see if there are some risks that you could optimize spending on.

- Training budget is an unfortunate victim of this type of economy. Encourage employees to take free webinars offered by various security vendors and encourage them to share the summary across the team. This will put your employees in touch with latest happenings in security at the same time there is some learning that is imparted despite zero training budget.

- Since there are very few projects in action, this is a good time to have conversations with cross functional teams and educate them about your services and solicit feedback on how to do better.

- Revisit your vendor logistics and identify whether you can renegotiate some of your already existing contracts.

The above are some good ways by which you can optimize costs, this will also enhance your team's competence level in the long run. And this approach is better than letting people go, if you can pull this.

Building secure application

RaviC — Thu, 02 Oct 2008 06:35:44 -0700

Developers have the objective of building a functional application. They are focused on building more functionality into applications. Moreover, building security creates more workload for Developers which is a disincentive and moreover, Developers are rewarded for building more functionality than building more security. I have never seen a Developer in my professional life for being rewarded for building a secure application.

Hackers are focused on how to break the application. They look for weak links in application that will enable them to access application data. Developers usually follow process to build application, but Hackers have no process and all they have is multitude of possibilities. Hackers are innovative in trying various permutations in compromising the application.

A million dollar question is whether we can build secure applications when a Developer is focused on functionality but not on breaking the application?

There is a school of thought about Inside-out security where the application is built securely from scratch. Unfortunately, this approach won't suffice because hackers traverse Outside-in. A little reflection will highlight the importance of vulnerability scanning and penetration testing of application. This will bring the perspective of what developers do not know already.

Building a secure application inside out is not enough. In order to address unknown unknowns (or blind spots of developers), penetration testing should be done. Both whitebox style penetration testing (where components of an application is known) and also blackbox style penetration testing which mi micks an Hacker who may not have any knowledge of the application, should be carried out.

An application of higher level of security is not built just by Developers. It is built by integrative process of Developer mindset and Hacker mindset. This is a constant struggle for years to come.

The asymmetry of data loss - data thief has an upper hand

RaviC — Wed, 01 Oct 2008 06:33:22 -0700

I read this awesome book by Dan Geer, Economics and Strategies of Data Security. This gave me structure for my thoughts about a complex topic such as data security.

When a data owner's (a business) sensitive data is breached it is difficult to quantify the monetary loss. According to respectable survey sources, the average cost of sensitive data breach for a large size company is about $50,000. I am attempting here to think about this in simple mathametical terms:

There is a data breach. From the data owner's perspective the loss is:

Loss = Cost to protect data + Loss of business due to data theft aka cost of competitive disadvantage

From the data thief's perspective

Net Gain= [Cost of producing the data * Data freshness factor] - Cost to steal the data + Profit of business due to data aka gain of competitive advantage

From the above two equations it is very clear that this is not a zero sum game. There is a clear cost asymmetry for a data owner and for a data thief. When there is an asymmetry there is an opportunity. Data owner would not even know that the data is lost because the original copy of the data may be still intact - data thief could have simply copied the data. Data theft does not look like a car theft, there is no vacuum left behind.

This motivates a data thief to keep the cost to steal low, steal highly valuable data that has a long shelf life and in a way that data owner will never even be aware of theft.

From a data thief's perspective, the cost to steal data if kept high would disincentive him. Moreover, Data freshness factor, i.e. how valuable this data is over period of time plays an important role. A good example is content of today's newspaper is hardly valuable tomorrow, but the content of newspaper two days ahead (if can be procured)would be invaluable. Data relevance is a function of time and other marketplace variables - Data freshness Factor accounts for that variable. A good way to discourage data thief is to increase his/her cost to steal the data. There are other inferences from the above equation. If there exists no competitive advantage with the stolen data, hardly any thief would even venture to steal the data in the first place. If the cost of producing data is very low, then probably thief can just produce the data himself and would not attempt to steal the data. If the cost of theft is kept high, it would definitely deter the data thief from stealing data using technical mechanisms, then the data thief would exploit weak links in data security such as use of social engineering to get access to the data.

From data owner perspective protecting data becomes very important. How much would the owner be willing to spend? Not definitely the cost equal to cost of producing the data. 1% to 10% of cost of producing data is considered prudent. For a data owner it is difficult to estimate cost of data protection of a specific data, because it is not easy to chunkify data protection costs. Moreover, as Dan Geer says in his book, a data owner has to protect himself from number of intruders not just one.

It pays for a data owner to: be aware of data breaches (or data leaks), employ appropriate mechanisms to protect the data; the cost of protection which is fractional cost of the valuable data and enhance information security awareness of personnel who handle the data.

Data loss is not a zero sum game. The advantage is in favor of a data thief (data thieves rather). Data owner does not give much thought on the value of data unless there is a data theft. But, a data thief has every reason to think about economics of data theft before he acts to steal the data else data thief won't survive in this game and he is very well aware of his advantageous position.

Misc notes on IDS/IPS

RaviC — Sun, 28 Sep 2008 20:11:06 -0700

Chris Hoff's response on his blog Rational Survivability makes me happy on two fronts. The primary reason I started this blog was to use this medium as an outlet for my ungrounded ego. The other was to participate in the Security Blogging community which was then catching up when I started this blog 2 years ago. To get a response for my musings from brilliant minds such as Mike Rothman, Alan Shimel, Chris Hoff and others, gives me immense joy. May be this a good therapy for my undiagnosed attention deficit.

It does not matter if Chris is right or I am right. The outcome of IDS/IPS is all determined by random drift of market forces. There is no conspiracy to make IDS/IPS this way or that way. I would like to wrap up with a quote from Arthur Chandler : "We can tell when a technology has truly arrived when the new problems it gives rise to approach in magnitude the problem it was designed to solve".

Please contact Microsoft for Firefox problem? True but Funny Dialog Box

RaviC — Thu, 25 Sep 2008 06:23:47 -0700

IDS/IPS - is it Vitamins?

RaviC — Wed, 24 Sep 2008 18:35:22 -0700

Alan Shimel's post on "IDS - the beast that just won't die" triggered my hidden thoughts about IDS.

Rather than thinking about IDS as a piece of device/software that provides fancy features. Let me try to summarize some assertions about IDS:

IDS can capture tons of intrusion events, there is so much of don't care events it is difficult to single out event such as zero day event in the midst of such noise.

It requires tremendous effort to sift through the log and derive meaningful actions out of the log entries.

IDS needs a dedicated administrator to manage. An administrator who won't get bored of looking at all the packets and patterns, a truly boring job for a security engineer. Probably this job would interest a geekier person and geeks tend to their own interesting research!

There are companies that do without IDS, and they do just fine. I agree with Alan's assessment that IDS is like a Checkbox in most cases. Business can run without IDS just fine, why invest in such a technology?

Firewalls and other devices have built in features of IDS, so why invest in a separate product.

IDS is like Vitamins, nice to have, not having won't kill you in most cases. Customers are willing to pay for Pain Killers because they have to address their pain right away. For Vitamins, they can wait. Stop and think for moment, without Anti-virus product, businesses can't run for few days. But, without IDS, most businesses can run just fine and I base it out of my own experience.

Probably, I would have offended folks from the IDS camp. I have a good friend who is a founder of an IDS company, I am sure he will react differently if he reads my narratives about IDS. Once businesses start realizing that IDS is a Checkbox, they will scale down their investments in this area. In the current economic climate, financial institutions are not doing well. Financial institutions are big customers in terms of security products, with the current scenario of financial meltdown, they would scale down heavily on their spending on Vitamins.

Running IDS software on VMware sounds fancy. Technology does not matter unless you can address real world pain and prove the utilitarian value of such a technology. I am really surprised that IDS continues to exist. Proof of existence does not forebode great future. Running IDS on VMware does not make it any more utilitarian. I see a bleak future for IDS.

Cute names can't come to rescue

RaviC — Sat, 23 Aug 2008 23:26:05 -0700

Most of us have heard the conversations about looming threat to survival Fannie Mae and Freddie Mac. Their names are cute but it can't help fix a bad strategy of making money by dishing out bad loans.

I have had interaction with several security project managers who were very good in creating a buzz around their projects. Projects were given fancy names. The funniest project name I have heard was "Baby Rhino". One day I get an email in my inbox with a subject line which says: Baby Rhino Caputred! - The email got my attention, but the project did not gain any extra respect (because of the name) hardly there was any significant accomplishment in terms of its deliverable.

I would rather stick with project names that signify scope, relevance, meaning and value of a project. It is not bad to market a project, but trying to market a project without delivering value is a gimmick.

Taming of the Information Security

RaviC — Wed, 09 Jul 2008 06:33:15 -0700

In many mid-size to large organizations, information security grows up to become an unmanageable complex beast. In some cases, this happens consciously where information security goes out of control, but in other cases this happens unconsciously where there is a slow but incremental increase in the complexity of information security which leads to chaos.

The information security field is not yet fully mature; there is a lack of cohesive interoperable framework. The rapidly evolving landscape adds to the existing problem. There are several examples: Intrusion Detection System (IDS) was quickly overtaken by Intrusion Prevention System (IPS). On the Firewall arena: the focus has moved from perimeter security to end point security. There are some security visionaries who are preaching inside-out security approach i.e. building products with information security in mind from the beginning of product development.

Threats are moving higher up in the OSI stack making it harder to detect. Hackers are becoming more sophisticated – there are powerful free open source hacking tools available at their disposal. Security managers driving security initiatives without coordination can result in pieces of puzzle that don't fit well. Agency problem i.e. security managers thinking more about their personal advancement rather than security of the company is bad for the company’s security initiative. Security leaders who do not have a clear vision of security at the component level, the administration level and the strategy level can only make information security even more convoluted. The CISO and acting CIO of US Dept of Veteran affairs resigned after the breach in May, 2006 where personal data of 26 million veterans and more than 2 million service members was stolen. This clearly demonstrates the accountability and visibility of security leadership.

The attitude of IT security leaders and security team members has a significant impact on security. Reckless buying of information security technology can result in wasteful expenditure and very little gain in efficiency. Not understanding the business perspective of security issues or security perspective of business issues can lead to poor security decisions. Using security as a mechanism to gain control rather than using it as a tool to reduce risk can only diminish the perceived value of security initiative. Implementing security as an afterthought rather than building it into the framework not only result in poor architectural decision. Security investment is more like buying insurance. Thinking security as a vehicle providing an ROI can result in wrong expectation and lead poor decision. The business in which a company operates contributes largely to the perceived importance to security. Financial institutions usually have a higher bar on security because of the very nature of their business and their exposure legal liability. It is a good idea for many technology companies to emulate financial institutions to raise their information security bar.

It could be a pipedream to accomplish complete information security but accomplishing a well managed information security program is an attainable possibility.

Security Function as a Business Enabler

RaviC — Fri, 27 Jun 2008 20:50:58 -0700

In one of my earlier blog posts I branded Information Security function (as part of IT) as an overhead of an overhead. It is utmost important for security manager to run the security function in a way that it enables the business.

The various components (sub functions) of security organization should align with the business objectives of the IT and the whole organization. There needs to be a cohesive security strategy in order to align the various comoponents. One good way of understanding the business objective is why is the business parting with money for deploying a specific security component. Why is business giving me money for Compliance? Why is business giving me money to implement IDP? Constitutive questions such as these will help you to understand the fundamental concerns for the business and based on these we can come up with a strategy suitably aligned with the business.

One good example is the area of compliance. Attempting to make each every units of your business complaint with certain standards/legal regulations and so on would be a tall order. First define the scope, draw a circle around the units that need to be compliant, then come up with a strategy to make it compliant by formulating your objective - derived from the business objective of why the business gave you money.

Any security implementation effort should have a well defined focus (scope), business objective and strategy to bind the various components cohesively that aligns with the ultimate business objective. By this business will view security organization with dignity else security organization will end up being a spoke in the wheel of business.

In the past, I was involved in discussion about the ROI of information security and security is insurance and so on. After eating the forbidden apple from the tree of paradise, I realize security has neither ROI nor akin to insurance. Information security is way of doing business with due care. Security is way of enhancing the trust of a business among customers and thus enhancing the identity (or brand image of the company). Few years down the line people won't even question why you do security, it will become a part of your background conversation. Nobody questions why we buy hybrid vehicles anymore right?

If components of security function is not cohesively aligned with business objective it is spoke in the wheel of business else it is a brand enhancer of business.

The Order of Diminishing Returns

RaviC — Tue, 17 Jun 2008 21:41:37 -0700

This is a classic management term which does not need any introduction to many folks. The more money you pour into the security budget the more money will be spent in buying unneeded security products which can increase the complexity and reduce efficiency of your security operations. The start-up companies that I worked long ago had installed 5 layers of Firewall to prevent intruders. The security manager claimed to me that it is there to really protect the information assets, but sooner I realized these firewalls were not configured right and they were a set of a fireholes than a set of firewalls. Moreover, the maintenance costs in this type of complex security framework can be humongous. Imagine poor me debugging the firewall rules across these 5 layers of firewalls. But, one thing for sure the job security of security professional who implemented these complex security framework is guaranteed. In reality,the guy who implemented these 5 layers of firewall worked as a consultant for this start-up in the off hours and weekend!

In reality I have seen well run security organizations, they are lean and mean. They not only provide continuous security thought leadership for the entire organization but also implement security in a simple and efficient way. The graph below gives a visual picture of what I mean by order of diminishing returns.

On a related note I have identified four different states of security organizations considering competence of employees and budget availability. Of course there are in-between states. I have considered only the extremes:

Application Due Care

RaviC — Mon, 18 Feb 2008 08:55:12 -0800

Often I hear phrases such as "if the application is truly built secure inside-out, then there is no need for other security layers". Truly secure application is a far fetched statement.

1. What is the application made of? - Complexity.

2. How was the application built? - Methodology.

3. Where does the application run? - Environment.

#1. Complexity - Applications are developed using one or more of open source software, third party libraries, re-used libraries (from the past), middleware, database and the run-time environment. In order to develop a truly secure application we need to ensure security in all of these components that go into building the application.

#2. Methodology - The development methodology that is employed to build the application. This brings up several issues: customization work, secure coding practice, outsourced development, offshore development, peer review, development tools, security requirements as a part of the design, source code scanning, threat modelling and penetration testing.

#3. Environment - Application exist in an environment. This brings up several considerations such as operating system, virual operating system(such as VMware), other applications that co-exist with this application, CPU hardware, storage, network and lastly whether the application runs behind the firewall or in the DMZ.

It is overstatement to say that the application built using secure development methodology is secure. All the three factors Complexity, Methodology and Environment should be considered to make a judgement call about application security. The pragmatic approach is to build application that is secure enough that poses risks that are acceptable to business (customer) this is what I would like to call "Application Due Care".

Security is Invisible and Customers won't Pay for Security

RaviC — Fri, 25 Jan 2008 19:06:11 -0800

A few years ago a dentist that I consulted with recommended me Dental Protector for Night Time Teeth Grinding. She mentioned that I grind my teeth during sleep. How in this world can I disprove her statement unless I have some external observer to monitor me all night to validate my teeth grinding!

Security is invisible. Customers are willing to pay for visible software product functionality but not for secure software product development methodology. Unfortunately, most of the security is in the backend, if security works well, truly, it should be "invisible" and the fact that it hidden does not motivate customers to pay anything extra. Security incidents motivate customers to act, this is the time when security becomes visible but the limelight fades away as soon as this incident is handled.

We as security professionals see: the internal mechanics of software security and also can speculate ramification of poor software security in customer deployment. Because we see this we can't expect customers to pay for it. Making security visible to the customer will defeat the whole purpose of security and making it invisible diminishes the value of security. It is a dichotomy that we (as security professionals) have to manage and live with. Customers who notice and are aware of security may start check on of the security aspect of a product before buying it. Unfortunately, security is just one aspect, buying a specific product vs. other products purely based on security is a pipe dream. In the distant future when all products have security built in, security won't be a differentiator anymore and visibility of security will diminish even further.

If security was highly visible, we would find Steve Jobs touting security on stage at MacWorld. May be this is the reality check for security professionals.

Media and Our Mind - Risk is All About Perception

RaviC — Wed, 23 Jan 2008 07:22:32 -0800

Dave has an excellent blog post on how media affects our risk perception. Dave Hitz is the founder of NetApp.

This is the what Dave says:

"A good risk management plan should take into account hurricanes, lost tapes, lost laptops, and maybe even terrorist attacks, but realistically, headlines typically don't highlight the most important risks. You are much more likely to lose data from human error or inadequately tested backup and recovery processes than from floods or attacks, but inadequate processes don't make good headlines. In addition, headlines fade quickly – if something becomes frequent it's often less newsworthy, but the risk remains. Our more sophisticated customers, like financial institutions, build risk management models that already include the items most likely to show up in the headlines, and if they use media reports at all, it's to update some aspect of their model, like the probability of a particular event, or the impact and cost.

In summary, don't worry about terrorists until restore from your nightly backup is well tested. "

More details can be found on his blog here.

An interesting Whitepaper on Web 2.0 Security & Fortify Event

RaviC — Fri, 18 Jan 2008 07:40:36 -0800

I was fortunate to be introduced to a good ex-Microsoft Security person, Shivaram Mysore. He has an interesting whitepaper on Web 2.0 Security. It is worthy read. The whitepaper gives a brief introduction to service models available and aligns your thought process around securing Web 2.0 around these service architectures.

I recently attended the pre-screening of the Information Security documentary titled: The New Face of Cybercrime. The documentary was very nicely done, considering the Director Fredric Golding has no background in Information Security.

The thought leaders panel discussion was very stimulating. Being an analogy person, I liked analogy narrated by Howard Schmidt , Former White House Security Advisor, about evolution of Information Security and evolution of Firefighting. In the past, Firefighting was a reactive approach but these days people factor in the the threat of fire pro-actively into the building design - sprinklers, fire retardant materials and so on. Another panelist Ted Schlein, Managing Partner KPCB, mentioned the security spending is around $12 billion/year vs. the loss due to information security breach is around $100 billion/year - trail of money always sounds interesting to me. There were lots of discussions about Inside-Out vs. Outside-In approach to Information Security.

Thanks to Fortify for putting this event together. I am sure we need more such events should happen amongst the executive crowd to bring a high level of security awareness.

Lastly, I would like conclude this post by quoting the importance of user awareness because user awareness determines the "usage" which is a very important component for a the threat model of an information system. I conclude by repeating the popular quote: "There is no patch for stupidity".

Excellent addition to Information Security Blogging Community

RaviC — Wed, 21 Nov 2007 18:43:11 -0800

My good friend, Muni Tripathi has started blogging on Information Security. You can read his blog about security at:

http://muni-on-security.blogspot.com/

Getting vulnerabilities in the application fixed

RaviC — Sat, 27 Oct 2007 13:20:07 -0700

I have been approached by few security professionals about the problem they encounter in getting software developers to fix the vulnerabilities that is detected in the application.

Let us accept the fact that developers are mostly busy focusing their time and effort on the functionality of application. Most of the time the software development manager gets away by using the busy excuse. One approach that I suggest you could is to rank the vulnerabilities based on "severity" (how bad if the vulnerability is exploited) and "threat" (how likely the vulnerability exploit is) and communicate this list to the software development team. Give the software development manager time to fix the vulnerabilities - usually the time that the software development manager thinks that is acceptable.

If the vulnerabilities are not acted up on despite of your first meeting, then try this route: require the software development manager and the business owner of the application to sign a business risk acceptance form. The risk acceptance form could be as simple as a word document with a list of high severity/threat vulnerabilities and a narrative that states that signatories of the form acknowledge the existence of vulnerabilities (that you communicated) and have accepted the risk (posed by the vulnerabilities) for a time period specified in the form. This way as a security professional you are covered that you did your job in communicating the security risk to the stakeholders. Now that they have signed on the form if something bad event happens the accountability of the event is outside of you.

You may find out that, business risk acceptance form is a good tool to motivate software development manager - would mobilize resources to act on vulnerabilities rather than sign the business risk acceptance form .

Web 2.0 SecureD. DelivereD. :)

RaviC — Sat, 13 Oct 2007 09:29:44 -0700

Web 2.0 has become a well accepted jargon in the current marketplace. It is a set of new web based technologies that enable building of on-line communities.

Web 2.0 is a democracy of user communities [thanks to Paul Graham for his definition]. Web 2.0 gives more power for the users to interact, customize, share and leverage.

The democratization of users bring significant problems.

1. Loss of privacy: Ease of use motivates users to upload personal information. Many users are not aware of ramifications of loss of personal information or they don't even think on those lines. A good example is an employer going through the Facebook entry of a potential hire.

2. Hackers Paradise: New technology brings new vulnerabilities. Hackers are having a party exploiting Web 2.0 based applications. We are more vulnerable with Web 2.0 currently than with Web 1.0.

3. Lots of Junk: Take for example Wikipedia, anyone/anywhere can edit the content [everybody is an expert!]. How can I trust the quality of information? It is not possible to reference Wikipedia in a research paper. Moreover, it puts burden on the users to sift good and bad stuff.

4. Copyright/Intellectual Property Violations: I don't have to say much about this. Web 2.0 provides a platform for such violations and magnifies the impact [Record label sues Napster, Viacom sues Google over YouTube clips].

5. Other Social Problems: People can interact on-line in ways that was not possible before. These new interactions create new set of social problems.

and many more problems that can make my blog post long and boring..

Some of the above aspects can be addressed: for example building web applications securely ground up can help prevent hackers. Designing Web 2.0 application to ensure users use the platform responsibly is a good idea too. Spreading security awareness education to on-line communities can help engender responsible/secure use of the web.

Security should be a feature added to Web 2.0 and let's call Web 2.T3. The "T3" represents the security triad - Confidentiality, Integrity and Availability.

Though security does not address all aspects of Web 2.0. Web 2.T3 surely will be a better place to live.

The Moo Security through Sacredness

RaviC — Wed, 29 Aug 2007 04:30:13 -0700

I am currently in India, attending my dad's health concern. I stay awake at wee hours, still recovering from the jetlag. Cow is considered a sacred animal in India for multitude of reasons:

1. Cow gives milk which is a main source of protien in many parts of India.

2. Diluted cow's milk is given to newly born baby in cases where mom is not lactating hence elevating the status of a cow to that of a mom.

3. Cow's dung can be used as manure and also dried dung cake is used as fuel.

4. Cow's urine is used as a cleansing agent and also for other medicinal purpose.

Cow is considered sacred because of its utility value to common people. Cow roams around in the streets of my hometown freely and they are unharmed because they are sacred. By being sacred, cow is the most secure animal over here.

Security function is considered as an extension of IT, it is an overhead of an overhead - it is not sacred. Security function usually is the foremost to feel the pinch due to IT budget cut. A good way to make security function "secure" is to make it sacred. There are standards like ISO27001, COBIT which are well respected and considered sacred in the security domain. By conformance of security function to such standards we can not only create a perception of "sacredness" for the security program but also communicate value of the program easily through the standard's framework.

Lost laptop = Lost data!

RaviC — Sat, 18 Aug 2007 08:28:15 -0700

Laptop has become our essential travel companion. Lost brand new laptop without personal or company data will result in a loss of current market value of the laptop. Lost laptop with personal or company data can result in a loss which can depend on the value of the "data". It is easier to make amends for the lost laptop but making amends for lost valuable company data or valuable personal data may not be possible.

It is very important for us to be "laptop data aware" i.e. the categories of data it has and the consequences of lost data. A good practice is to treat your laptop like your wallet.

I found these 9 tips on Microsoft website. These tips are really thoughtful and well written and hence I like to repeat it below:

Use these 9 tips to learn how you can keep your laptop more secure when you're on the road.

1.	Avoid using computer bags. Computer bags can make it obvious that you're carrying a laptop. Instead, try toting your laptop in something more common like a padded briefcase or suitcase.
2.	Never leave access numbers or passwords in your carrying case. Keeping your password with your laptop is like keeping the keys in the car. Without your password or important access numbers it will be more difficult for a thief to access your personal and corporate information.
3.	Carry your laptop with you. Always take your laptop on the plane or train rather then checking it with your luggage. It's easy to lose luggage and it's just as easy to lose your laptop. If you're traveling by car, keep your laptop out of sight. For example, lock it in the trunk when you're not using it.
4.	Encrypt your data. If someone should get your laptop and gain access to your files, encryption can give you another layer of protection. With Windows XP and Windows Vista you can choose to encrypt files and folders. Then, even if someone gains access to an important file, they can't decrypt it and see your information. Learn more about how to encrypt your data with Windows XP or encrypt your data with Windows Vista.
5.	Keep your eye on your laptop. When you go through airport security don't lose sight of your bag. Hold your bag until the person in front of you has gone through the metal detector. Many bags look alike and yours can easily be lost in the shuffle.
6.	Avoid setting your laptop on the floor. Putting your laptop on the floor is an easy way to forget or lose track of it. If you have to set it down, try to place it between your feet or against your leg (so you're always aware it's there).
7.	Buy a laptop security device. If you need to leave your laptop in a room or at your desk, use a laptop security cable to securely attach it to a heavy chair, table, or desk. The cable makes it more difficult for someone to take your laptop. There are also programs that will report the location of a stolen laptop. They work when the laptop connects to the Internet, and can report the laptop's exact physical location. Some tracing programs include CyberAngel and ComputracePlus.
8.	Use a screen guard. These guards help prevent people from peeking over your shoulder as you work on sensitive information in a public place. This is especially helpful when you're traveling or need to work in a crowded area. This screen guard from Secure-It is just one example of a screen guard you could use.
9.	Try not to leave your laptop in your hotel room or with the front desk. Too many things have been lost in hotel rooms and may not be completely secure. If you must leave your laptop in your room, put the "do not disturb" sign on the door.